Storing custom signed data in the key

Tomasz Buchert tomasz at
Sat Aug 17 18:45:24 CEST 2019

Hey Gnupg users,

what would be the most "canonical" way to store arbitrary, signed data
along the gpg key? And then: what is the programmatic way of extracting
said data?

My specific usecase is putting a signify [1] public key inside my GPG
key, so that I can leverage key distribution to push my signify key.
After some digging, I was able to add a "notation" to one of my UIDs,
using "edit-key" + "notation", and now I have a signed notation inside
a self-sig. See:

$ gpg --no-options --list-options show-notation --check-sigs KEYID | grep pub at signify
   Signature notation: pub at signify=SIGNIFYKEY

This extraction process seems dangerous to me, however, since an
attacker could add a dummy signature on my key with the same
notation. I can improve the above by interpreting the input more
thoroughly, since the notation follows the signature info:

sig!3    N   KEYID 2019-08-17  User Example <user at>
   Signature notation: pub at signify=SIGNIFYKEY

By checking the signature verification status ("sig!") and KEYID I can
ensure that the notation is valid.

Does it make sense? Is it a good idea? What would be a better way?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list